* fix: token injection vulnerability GHSA-98j2-3j3p-fw2v
- Ensure session IDs are securely generated server-side.
- Add validation to prevent user-supplied session IDs.
- Update tests to verify correct session token use.
This update addresses the critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* test(middleware/csrf): Save session after generating new session ID
This commit saves the session after generating a new session ID to ensure that the updated session ID is persisted. This change is necessary to address a critical session middleware vulnerability identified in versions 2 and above of GoFiber.
* chore: Save session ID in context for middleware chain
The code changes add functionality to save the newly generated session ID in the context, allowing it to be accessible to subsequent middlewares in the chain. This improvement ensures that the session ID is available for use throughout the middleware stack.
* test: Fix session freshness check in session_test
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
* refactor(session.go): general clean-up
* chore: Revert session freshness behavior
The code changes in `session_test.go` fix the session freshness check by updating the assertions for `sess.Fresh()` and `sess.ID()`. The previous assertions were incorrect and have been corrected to ensure the session ID remains the same and the session is not fresh.
A Session must not be accessed after Save() is called, but a unit test
calls Session.ID() after Session.Save(), sometimes causing the test to
fail when -race is enabled. The assertions that ID() was being used in
were redundant with the previous two assertions (checking that the
session name header is empty), so we can just remove the offending code.
* 🔧 feat: Decode body in order when sent a list on content-encoding
* 🚀 perf: Change `getSplicedStrList` to have 0 allocations
* 🍵 test: Add tests for the new features
* 🍵 test: Ensure session test will not raise an error unexpectedly
* 🐗 feat: Replace strings.TrimLeft by utils.TrimLeft
Add docs to functions to inform correctly what the change is
* 🌷 refactor: Apply linter rules
* 🍵 test: Add test cases to the new body method change
* 🔧 feat: Remove return problems to be able to reach original body
* 🌷 refactor: Split Body method into two to make it more maintainable
Also, with the previous fix to problems detected by tests, it becomes really hard to make the linter happy, so this change also helps in it
* 🚀 perf: Came back with Header.VisitAll, to improve speed
* 📃 docs: Update Context docs
* golangci-lint: add and apply more stricter linting rules
* github: drop security workflow now that we use gosec linter inside golangci-lint
* github: use official golangci-lint CI linter
* Add editorconfig and gitattributes file
* fix unhandled errors
* fix unhandled error in cache package test
* omit variable type
* omit variable type
* rename variable because collide with the imported package name
* Update session.go
Fix: Session.Regenerate does not set Session.fresh to be true.
* Fix: Session should be regenerated if the session can not be found in the storage
https://github.com/gofiber/fiber/issues/1408
* Add test for session and store in session middleware.
* Clean up code
* Update middleware/session/session.go
Co-authored-by: hi019 <65871571+hi019@users.noreply.github.com>
* 🔥 Feature: Define KeyLookup configuration (#1110)
* 🔥 Feature: Allow session ID to be written in header (#1110)
* 🔥 Feature: Allow session ID to be obtained from different sources (#1110)
* 📚 Doc: Add Source configuration (#1110)
Jason McNeil
René
nickajacks1
KaptinLin
M. Efe Çetin
João Victor Oliveira Couto
leonklingele
Amir Hossein
Bhurinat Wangsutthitham
Spedoske
João Victor Santos
hi019
LeoZhan
tianjipeng
Fenny